Home / iOS / Google finds malicious sites pushing iOS exploits for years

Google finds malicious sites pushing iOS exploits for years


Image: Google Project Zero

Security researchers at Google said they found malicious websites that served iPhone exploits for almost three years.

The attacks weren’t aimed at particular iOS users, as most iOS exploits tend to be used, but were aimed at any user accessing these sites via an iPhone.

“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” said Ian Beer, a member of Google Project Zero, Google’s elite security team.

The exploits also didn’t require any user interaction to trigger. Google said the first website to host any of the exploits went live on September 13, 2016. The websites appeared to have been hacked, and the exploits planted by a third-party, rather than the site owner.

“We estimate that these sites receive thousands of visitors per week,” Beer said.

14 exploits, five exploit chains, at least one zero-day

This nefarious and secretive hacking operation was discovered earlier this year when Google’s Threat Analysis Group (TAG) came across the hacked sites.

“We reported these issues to Apple with a 7-day deadline on 1 Feb 2019, which resulted in the out-of-band release of iOS 12.1.4 on 7 Feb 2019,” Beer said.

In total, Beer said Google found exploits targeting 14 iOS vulnerabilities, grouped in five exploit chains. Seven vulnerabilities impacted the iPhone’s web browser, five the kernel, and two were sandbox escapes. The exploits targeted iOS versions 10.x, 11.x, and 12.x.

Malware could steal messages, photos, GPS coordinates

Beer and his Project Zero colleagues have published teardowns of the five exploit chains, and the exploited vulnerabilities [1, 2, 3, 4, 5], along with blog posts detailing the JSC exploit that allowed hackers to gain an initial foothold in victims’ browsers, and an analysis of the implant that was left on infected devices.

According to Beer, this implant (the malware planted on infected iPhones) could “steal private data like iMessages, photos and GPS location in real-time.” The good news was that the implant wasn’t capable of establishing boot persistence on the device, and just rebooting the phone would remove, until the user revisited one of the hacked websites again.

Furthermore, Beer also noted that while most of the exploits targeted older vulnerabilities that Apple had already patched, at least one exploit chain used a vulnerability that was still a zero-day (unpatched). This was CVE-2019-7287 & CVE-2019-7286, patched in iOS 12.1.4, released in February 2019. [This zero-day was part of exploit chain #4 in the graph above]

The Google researcher also warned that other similar hacking campaigns and exploit chains might still be around, and described the sites Google found as “a failure case for the attacker.

“There are almost certainly others that are yet to be seen,” he said.

Google didn’t release any information about the sites serving the exploits.

Source link


About admin

I'm a 50 year old PLC programmer from Burnley, UK. I severed my time as an electrician in the baking industry and soon got involved with the up and coming technology of PLC's. Initially this was all based in the Uk but as the years went by I have gradually worked my way around the globe. At first it was mainly Mitsubishi with a bit of Modicon thrown in but these days the industry leaders seem to be the Allen Bradley range of PLC and HMI’s.

Check Also

Report claims a popular iOS SDK is stealing click revenue from other ad networks

In an explosive report published today, developer security firm Snyk claims it found malicious code inside a ...

Leave a Reply

Your email address will not be published. Required fields are marked *